Security operations centres have always been a numbers game with too many alerts, few analysts, and never enough hours in a shift. But something has changed. The arrival of AI models capable of identifying vulnerabilities and generating working exploits at machine speed has quietly shifted the terms of engagement between attackers and defenders. In this episode of the Security Strategist podcast, Richard Stiennon sits down with Edward Wu, founder and CEO of Dropzone AI, to unpack what the Mythos era actually means for the SOC and what defenders need to do about it right now.

The Alert Problem That AI Was Always Going to Solve

Wu didn't come to this conversation theoretically. Before founding Dropzone AI, he spent eight years at Palo Alto Networks building AI and machine learning detection products, systems that generated millions of security alerts. The conclusion he walked away with was that most security teams don't need another alert cannon. What they need is help processing the ones they already have.

That insight shaped everything about Dropzone's approach. The problem in most SOCs isn't a lack of signals, but it's analytical capacity. SIEMs stack-rank alerts by criticality, which sounds helpful until you realise that even a well-tuned system routinely surfaces 150 critical alerts per shift. No team handles that volume consistently. The alerts at the bottom of the queue, the ones that often contain the earliest indicators of a breach, simply never get looked at.

"AI can look at 50 alerts in parallel," Wu explains, and that's not a trivial capability. It means the lows, mediums, and informational alerts that security teams have historically deprioritised out of necessity can finally get attention. Several of Dropzone's customers have gone further; they've actually reversed years of detection tuning alerts that were switched off because they were deemed too noisy, because AI augmentation means the team now has the capacity to handle the volume. The aperture widens. Coverage improves, and holes in the detection fabric get closed rather than quietly accepted.

Mythos Changed the Timeline, Not the Outcome

When Anthropic published its findings on Mythos, the cybersecurity community took notice. Here was a model demonstrably capable of analysing code, discovering vulnerabilities, and writing working exploits with tasks that had previously required significant human expertise and time. Wu was watching closely, and his take is more measured than most of the commentary that followed.

He wasn't surprised. Models had been trending in this direction for some time, and when researchers revisited older models with better prompt engineering after the Mythos announcement, many found comparable outputs. What Mythos represented wasn't a sudden leap into unknown territory; it was confirmation that a step-function in attacker capability had arrived, and that the timeline for impact was no longer theoretical. "It was never a question of if," Wu says. "Mythos made the answer to when very concrete within the next couple of months."

The strategic implication is important to sit with. Vulnerability management is a slow-moving discipline with significant organisational friction. Patching schedules, competing priorities, and legacy infrastructure, these constraints don't bend quickly, regardless of how capable AI becomes on the offensive side. If attackers can now discover and weaponise vulnerabilities faster than defenders can patch them, the perimeter becomes harder to hold. Initial footholds become easier to gain.

This shifts the weight of the entire security programme toward detection and response. Wu frames it as a change in where the statistical advantage lies. Before a breach, attackers only need to be right once. But once they're inside, the math flips. On average, an attacker needs to make seven to ten moves to reach their objective. Detection and response teams have multiple opportunities to catch them, if the tripwires are sensitive enough, and if someone is actually paying attention to them.

Fighting AI with AI

Are you enjoying the content so far?

The phrase "fighting AI with AI" risks sounding abstract. Wu brings it back to operational reality. The most immediate application is alert investigation, still the most labour-intensive function in any detection and response team. AI agents can begin processing an alert within seconds of it being created. Mean time to response drops. Mean time to disposition drops. The window of opportunity for an attacker to move laterally, escalate privileges, or exfiltrate data gets materially smaller.

For larger teams, this translates into improved coverage and faster response. For smaller teams, it functions as genuine force multiplication; analysts spend less time on repetitive investigation work and more time on detection engineering, threat hunting, and closing gaps in the broader security architecture.

Wu also addresses the hallucination concern that comes up whenever AI is proposed for high-stakes environments. His answer is direct: "Hallucinations are caused by poor context engineering." Feed a model insufficient or irrelevant information, and it fills in the gaps. Feed it the right data, the specific logs, the relevant threat intelligence, and the contextual detail it needs, and it performs the analytical task accurately. The model isn't the problem. The scaffolding around it is what determines the outcome.

For CISOs considering where to start, Wu's advice is practical. Audit where the team is actually spending its time. Identify the bottlenecks. Then evaluate vendors — at least three, in production, in your own environment, against three criteria: does the technology work now, is the company's roadmap aligned with where you're trying to get to, and can you trust the engineering team to deliver it?

The Mythos era hasn't changed the fundamental cat-and-mouse dynamic of cybersecurity. But it has raised the stakes and raised the ceiling on what AI-augmented defence can deliver. If you want to find out more, visit Dropzone AI or connect with Edward Wu on LinkedIn.